Generally speaking, I have a very, very low opinion of newspapers and journalists. I suspect that our supposed desire for 24 hour a day news may be to blame, but the fact is they love to create stories out of nothing, playing on our fears and our preconceptions. Also generalising, I used to think of the Times and the Guardian as being at least reasonably respectable newspapers, where at least some semblance of sensible reporting was taking place. I admit, I may have been a bit naive here.

In yesterday’s Guardian, page 6 and most of page 7 were taken up by an article titled “Do you want Lloyds or HSBC? Account details for sale online” (online version of article). This is a well timed article to play on our fears, both over the missing 25 million HMRC records and our fears about identity theft / online fraudsters emptying our accounts.

Now, I am not for one second trying to say there is no risk or that people do not have their bank accounts hacked and all their money stolen. I just suspect it is a lesser threat to the “average” person than the newspapers make out. In this article, Robert Booth begins with:

It took just 19 hours from first contact with the anonymous Russian fraudster until he collected my $240 (£116.50) payment from a local “drop”.

And then continues, sometimes in the manner of an airport spy novel, to detail how in a short period of time he has found dozens of (mostly Russian) criminal organisations who are selling bank account details for a pittance. It is scary reading. Robert Booth writes about how these “Internet Banking Fraud communities” steal accounts and circulate the details over “untraceable” internet messaging applications like ICQ. (Really, he does write this). He continues writing about his adventures:

The encounter with the anonymous Russian in an internet chatroom was one of scores like it going on at the time. In a separate private message, another vendor promised: “I will give you HSBC full info with 26k Pounds…for $500…When can you wire money?”

The whole (longish) article is like this. There are quotes from people at SOCA, security consultants and the like. All talk about how dangerous the internet is and add to this image of the “Internet bank fraud community” sitting around trading details and earning fortunes as a result:

The community has developed a high level of sophistication so that trusted parties can trade efficiently. In one posting on a forum selling card details a fraudster reports to the rest of the community on the “review” he has conducted of a new entrant to the market.

He has tested his speed of response and accuracy of information supplied and marks him out of 10 for communication, timing and product. “Total: 9/10 nice score,” he concludes and awards the status of “trial vendor”.

Many vendors offer discounts for bulk buyers and even display a replacement policy. If the account details do not work most vendors will replace the data with a different lead. SOCA, which has responsibility for fighting organised internet fraud, has set up a series of cross-border alliances to tackle the problem, but declined to comment on our findings.

Wow. Lock up your bank accounts now! This is scary stuff!

However, you can breathe a sigh of relief gentle reader because, largely, this is a case of a journalist who has fallen for a pretty basic scam. Yes, there is fraud going on here, but the victim isn’t the innocent bank account holder. A simple application of logic (counts most journalists out then) to the basic premise hints at something not being as it seems.

Imagine this, you are a techno-savvy criminal who has gone to all the trouble to acquire account details which will allow you to empty £26,000 from a strangers account. You have done this without anyone knowing or being able to trace it was you. Would you then sit on the account details until another complete stranger got in touch with you and sent you US$500?

What sane criminal is going to turn down the £26,000 (US$52,000) and take one hundredth of that instead. The risk to the cyber-crook remain, he has just given up 99% of his potential monetary gain. In fact, if anything, his risks have escalated significantly because he now has to contend with police sting operations.

It is madness to suggest that these account details are really being sold online for such pitiful sums of money. Cyber criminals who hack into bank accounts will either empty them there and then, or use them for their own ends. Selling the details on to random internet strangers is completely stupid.

Just to underscore my point, the Guardian article finishes with this bit of reassurance:

As sobering as the trade in stolen identities has become, there was a crumb of comfort last night for the Halifax account holder whose details the Russian fraudster was peddling. Twelve hours after the payment had been withdrawn from a Siberian wire office, the Guardian was still waiting for the promised bank details.

So, in reality, I suspect this is the more common type of fraud. People who want to be cyber-criminals but lack the technical knowledge to manage it are being conned by other cyber-criminals who at least have the brains to pretend to be able to do something. The best frauds work by playing on the victim’s greed and willingness to commit criminal acts – I mean if someone is conned into paying £116.50 for illegally gained bank details, who can they complain to?